Skip to Content
avatar image
Former Member

Increase retention period of Audit logs.

Friends,

We have the requirement from the Auditors to increase the retention period of logs from

3 months to 6 months.

Can someone please guide me on this one? Thanks and let me know.

Do I need to change any parameter in SAP to increase the size of Audit file @ OS level?

Any help or suggestions is helpful.

Regards,

Pranav

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Dec 27, 2008 at 06:12 AM

    The parameter rsau/max_diskspace/local is for specifying the maximum size for the file.The audit files are located in the individual application servers.

    SAP systems maintain their audit logs on a daily basis. The system does not delete or overwrite audit files from previous days, it keeps them until you manually delete them. Due to the amount of information that gets collected, you should archive these files on a regular basis and delete the originals from the application server.The default value is 1 megabyte (MB) or 1000000 bytes. If the maximum size is reached, the auditing process stops.

    Use transaction SM18 to delete old audit log files.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 29, 2008 at 09:19 PM

    Lets return to the original question...

    >

    > We have the requirement from the Auditors to increase the retention period of logs from

    > 3 months to 6 months.

    >

    > Can someone please guide me on this one? Thanks and let me know.

    > Do I need to change any parameter in SAP to increase the size of Audit file @ OS level?

    >

    > Any help or suggestions is helpful.

    >

    The management of daily files seems not to be the problem here, although it is relevant for the number of files created and their size... for storing them on external media for safekeeping (incase some auditor wants to read the file as well, or you do to reconstruct an event).

    The possibility exists to delete the audit log files after 3 days. At the application layer, this is blocked for the 1st three days (as a security measure).

    Most likely you only need to speak to your basis folks to ensure that there is enough space on the file system for the logs, and reschedule the job which is deleting the files to do so for files older than 6 months (instead of 3).

    Now-a-days, 100 MB is not a lot of space and does not cost much. 600 MB will fit on a "vanialla" CD which costs less than 1 Euro. You can also copy then to an external medium before deleting them.

    FYI: Reading the logs are a major pain, and I doubt that the auditors actually do this... but there are some usefull techniques you can use to send alerts when certain audit log messages appear (to solve the needle in a haystack problem) or read them all remotely and then use the same to drill down and analyze patterns. But you first need to know what the "alerts" are and which "patterns" to look for in the data you will be collecting. If you are only logging "unsuccesfull transaction start" and stuff like that, then you might as well turn it off again (even if it does keep the auditors happy).

    Hope that helps a bit more,

    Julius

    Add comment
    10|10000 characters needed characters exceeded